Blog

SmartHome Device Vendor Data Leak Includes User Information

Orvibo is a Chinese manufacturer of smart home solutions. These are devices that allow owners to manage connected smart appliances in their home, remotely control lighting, security, HVAC and home entertainment devices, as well as monitor energy usage.

Data from those operations are hosted on the company's Smart Home cloud platform.

Orvibo sells their products all over the world, and they have a footprint in the US market. So if you use their products, be advised that the company has been informed of an exposed, unprotected Elasticsearch cluster containing more than two billion customer records. Worse, at the time this piece was written, the company had not taken steps to protect the exposed database, which is still growing as new data is added to it.

Among the customer data exposed were things like:

Email Addresses

IP Addresses

Username and User ID

Family name and Family ID

Device name and Device that accessed the account

Passwords

Account reset codes

Precise user geolocation

Recorded conversations captured via Smart Camera

Scheduling information

In other words, this is as complete and comprehensive as it gets. Basically, every bit of information Orvibo has on you and your family is open on the web where anyone can see it. In addition, if a hacker were to gain access to your account, he could change the email address and password. If that happened, you'd' literally never be able to regain control of your own account. That would give the hackers unfettered access to everything you had connected to the service, including video camera feeds, until you disconnected yourself from it.

If you use Orvibo equipment, you should change your password immediately and hope that when you do, the change isn't updated in the still-open database. If you can afford to, change your password and then simply disconnect from the service until the company resolves the issue.